def queryset(self, request):
return DeploymentPrivilege.select_by_user(request.user)
-class ControllerPrivilegeInline(PlStackTabularInline):
- model = ControllerPrivilege
- extra = 0
- suit_classes = 'suit-tab suit-tab-admin-only'
- fields = ['backend_status_icon', 'user','role','controller']
- readonly_fields = ('backend_status_icon', )
-
- def queryset(self, request):
- return ControllerPrivilege.select_by_user(request.user)
-
class ControllerSiteInline(PlStackTabularInline):
model = ControllerSite
extra = 0
# that reference specific fields on auth.User.
list_display = ('email', 'firstname', 'lastname', 'site', 'last_login')
list_filter = ('site',)
- inlines = [SlicePrivilegeInline,SitePrivilegeInline,ControllerPrivilegeInline,UserDashboardViewInline]
+ inlines = [SlicePrivilegeInline,SitePrivilegeInline,UserDashboardViewInline]
fieldListLoginDetails = ['backend_status_text', 'email','site','password','is_active','is_readonly','is_admin','public_key']
fieldListContactInfo = ['firstname','lastname','phone','timezone']
from .service import ServiceAttribute
from .tag import Tag
from .role import Role
-from .site import Site, Deployment, DeploymentRole, DeploymentPrivilege, Controller, ControllerRole, ControllerPrivilege, ControllerSite, SiteDeployment
+from .site import Site, Deployment, DeploymentRole, DeploymentPrivilege, Controller, ControllerRole, ControllerSite, SiteDeployment
from .dashboard import DashboardView, ControllerDashboardView
from .user import User, UserDashboardView
from .serviceclass import ServiceClass
from .site import ControllerManager, ControllerDeletionManager, ControllerLinkManager,ControllerLinkDeletionManager
from .slice import Slice, ControllerSlice
-from .controlleruser import ControllerUser
+from .controlleruser import ControllerUser, ControllerSitePrivilege, ControllerSlicePrivilege
from .image import Image, ImageDeployments, ControllerImages
from .node import Node
from .serviceresource import ServiceResource
users = Users.select_by_user(user)
qs = ControllerUser.objects.filter(user__in=users)
return qs
+
+
+class ControllerSitePrivilege(PlCoreBase):
+ objects = ControllerLinkManager()
+ deleted_objects = ControllerLinkDeletionManager()
+
+ controller = models.ForeignKey('Controller', related_name='controllersiteprivileges')
+ site_privilege = models.ForeignKey('SitePrivilege', related_name='controllersiteprivileges')
+ role_id = models.CharField(null=True, blank=True, max_length=200, db_index=True, help_text="Keystone id")
+
+ def __unicode__(self): return u'%s %s' % (self.controller, self.site_privilege)
+
+ def can_update(self, user):
+ if user.is_readonly:
+ return False
+ if user.is_admin:
+ return True
+ cprivs = ControllerSitePrivilege.objects.filter(site_privilege__user=user)
+ for cpriv in dprivs:
+ if cpriv.site_privilege.role.role == ['admin', 'Admin']:
+ return True
+ return False
+
+ @staticmethod
+ def select_by_user(user):
+ if user.is_admin:
+ qs = ControllerSitePrivilege.objects.all()
+ else:
+ cpriv_ids = [cp.id for cp in ControllerSitePrivilege.objects.filter(site_privilege__user=user)]
+ qs = ControllerSitePrivilege.objects.filter(id__in=cpriv_ids)
+ return qs
+
+
+class ControllerSlicePrivilege(PlCoreBase):
+ objects = ControllerLinkManager()
+ deleted_objects = ControllerLinkDeletionManager()
+
+ controller = models.ForeignKey('Controller', related_name='controllersliceprivileges')
+ slice_privilege = models.ForeignKey('SlicePrivilege', related_name='controllersliceprivileges')
+ role_id = models.CharField(null=True, blank=True, max_length=200, db_index=True, help_text="Keystone id")
+
+ def __unicode__(self): return u'%s %s' % (self.controller, self.slice_privilege)
+
+ def can_update(self, user):
+ if user.is_readonly:
+ return False
+ if user.is_admin:
+ return True
+ cprivs = ControllerSlicePrivilege.objects.filter(slice_privilege__user=user)
+ for cpriv in dprivs:
+ if cpriv.role.role == ['admin', 'Admin']:
+ return True
+ return False
+
+ @staticmethod
+ def select_by_user(user):
+ if user.is_admin:
+ qs = ControllerSlicePrivilege.objects.all()
+ else:
+ cpriv_ids = [cp.id for cp in ControllerSlicePrivilege.objects.filter(slice_privilege__user=user)]
+ qs = ControllerSlicePrivilege.objects.filter(id__in=cpriv_ids)
+ return qs
+
def __unicode__(self): return u'%s' % (self.role)
-class ControllerPrivilege(PlCoreBase):
- objects = ControllerLinkManager()
- deleted_objects = ControllerLinkDeletionManager()
-
- user = models.ForeignKey('User', related_name='controllerprivileges')
- controller = models.ForeignKey('Controller', related_name='controllerprivileges')
- role = models.ForeignKey('ControllerRole',related_name='controllerprivileges')
-
- def __unicode__(self): return u'%s %s %s' % (self.controller, self.user, self.role)
-
- def can_update(self, user):
- if user.is_readonly:
- return False
- if user.is_admin:
- return True
- cprivs = ControllerPrivilege.objects.filter(user=user)
- for cpriv in dprivs:
- if cpriv.role.role == 'admin':
- return True
- return False
-
- @staticmethod
- def select_by_user(user):
- if user.is_admin:
- qs = ControllerPrivilege.objects.all()
- else:
- cpriv_ids = [cp.id for cp in ControllerPrivilege.objects.filter(user=user)]
- qs = ControllerPrivilege.objects.filter(id__in=cpriv_ids)
- return qs
-
class Controller(PlCoreBase):
objects = ControllerManager()
url(r'plstackapi/planetstackroles/$', PlanetStackRoleList.as_view(), name='planetstackrole-list'),
url(r'plstackapi/planetstackroles/(?P<pk>[a-zA-Z0-9\-]+)/$', PlanetStackRoleDetail.as_view(), name ='planetstackrole-detail'),
- url(r'plstackapi/controllerprivileges/$', ControllerPrivilegeList.as_view(), name='controllerprivilege-list'),
- url(r'plstackapi/controllerprivileges/(?P<pk>[a-zA-Z0-9\-]+)/$', ControllerPrivilegeDetail.as_view(), name ='controllerprivilege-detail'),
-
url(r'plstackapi/networkslivers/$', NetworkSliverList.as_view(), name='networksliver-list'),
url(r'plstackapi/networkslivers/(?P<pk>[a-zA-Z0-9\-]+)/$', NetworkSliverDetail.as_view(), name ='networksliver-detail'),
-class ControllerPrivilegeSerializer(serializers.HyperlinkedModelSerializer):
- id = IdField()
-
- humanReadableName = serializers.SerializerMethodField("getHumanReadableName")
- validators = serializers.SerializerMethodField("getValidators")
- def getHumanReadableName(self, obj):\r
- return str(obj)
- def getValidators(self, obj):
- try:
- return obj.getValidators()
- except:
- return None
- class Meta:
- model = ControllerPrivilege
- fields = ('humanReadableName', 'validators', 'id','created','updated','enacted','backend_status','deleted','user','controller','role',)
-
-class ControllerPrivilegeIdSerializer(XOSModelSerializer):
- id = IdField()
-
- humanReadableName = serializers.SerializerMethodField("getHumanReadableName")
- validators = serializers.SerializerMethodField("getValidators")
- def getHumanReadableName(self, obj):\r
- return str(obj)\r
- def getValidators(self, obj):\r
- try:
- return obj.getValidators()
- except:
- return None\r
- class Meta:\r
- model = ControllerPrivilege
- fields = ('humanReadableName', 'validators', 'id','created','updated','enacted','backend_status','deleted','user','controller','role',)
-
-
-
-
class NetworkSliverSerializer(serializers.HyperlinkedModelSerializer):
id = IdField()
PlanetStackRole: PlanetStackRoleSerializer,
- ControllerPrivilege: ControllerPrivilegeSerializer,
-
NetworkSliver: NetworkSliverSerializer,
Project: ProjectSerializer,
-class ControllerPrivilegeList(generics.ListCreateAPIView):
- queryset = ControllerPrivilege.objects.select_related().all()
- serializer_class = ControllerPrivilegeSerializer
- id_serializer_class = ControllerPrivilegeIdSerializer
- filter_backends = (filters.DjangoFilterBackend,)
- filter_fields = ('id','created','updated','enacted','backend_status','deleted','user','controller','role',)
-
- def get_serializer_class(self):
- no_hyperlinks = self.request.QUERY_PARAMS.get('no_hyperlinks', False)
- if (no_hyperlinks):
- return self.id_serializer_class
- else:
- return self.serializer_class
-
- def get_queryset(self):
- return ControllerPrivilege.select_by_user(self.request.user)
-
- def create(self, request, *args, **kwargs):
- serializer = self.get_serializer(data=request.DATA, files=request.FILES)
- if not (serializer.is_valid()):
- response = {"error": "validation",
- "specific_error": "not serializer.is_valid()",\r
- "reasons": serializer.errors}\r
- return Response(response, status=status.HTTP_400_BAD_REQUEST)
- obj = serializer.object
- obj.caller = request.user
- if obj.can_update(request.user):
- return super(ControllerPrivilegeList, self).create(request, *args, **kwargs)
- else:
- raise Exception("failed obj.can_update")
-
- ret = super(ControllerPrivilegeList, self).create(request, *args, **kwargs)
- if (ret.status_code%100 != 200):
- raise Exception(ret.data)
-
- return ret
-
-
-class ControllerPrivilegeDetail(PlanetStackRetrieveUpdateDestroyAPIView):
- queryset = ControllerPrivilege.objects.select_related().all()
- serializer_class = ControllerPrivilegeSerializer
- id_serializer_class = ControllerPrivilegeIdSerializer
-
- def get_serializer_class(self):
- no_hyperlinks = self.request.QUERY_PARAMS.get('no_hyperlinks', False)
- if (no_hyperlinks):
- return self.id_serializer_class
- else:
- return self.serializer_class
-
- def get_queryset(self):
- return ControllerPrivilege.select_by_user(self.request.user)
-
- # update() is handled by PlanetStackRetrieveUpdateDestroyAPIView
-
- # destroy() is handled by PlanetStackRetrieveUpdateDestroyAPIView
-
-
-
class NetworkSliverList(generics.ListCreateAPIView):
queryset = NetworkSliver.objects.select_related().all()
serializer_class = NetworkSliverSerializer
from .model_policy_User import *
from .model_policy_Network import *
from .model_policy_Site import *
+from .model_policy_SitePrivilege import *
+from .model_policy_SlicePrivilege import *
--- /dev/null
+def handle(site_privilege):
+ from core.models import Controller, SitePrivilege, ControllerSitePrivilege
+
+ # apply site privilage at all controllers
+ controller_site_privileges = ControllerSitePrivilege.objects.filter(
+ site_privilege = site_privilege,
+ )
+ existing_controllers = [csp.controller for sp in controller_site_privileges]
+ all_controllers = Controller.objects.all()
+ for controller in all_controllers:
+ if controller not in existing_controllers:
+ ctrl_site_priv = ControllerSitePrivilege(controller=controller, site_privilege=site_privilege)
+ ctrl_site_priv.save()
+
--- /dev/null
+def handle(slice_privilege):
+ from core.models import Controller, SlicePrivilege, ControllerSlicePrivilege
+
+ # apply slice privilage at all controllers
+ controller_slice_privileges = ControllerSlicePrivilege.objects.filter(
+ slice_privilege = slice_privilege,
+ )
+ existing_controllers = [csp.controller for sp in controller_slice_privileges]
+ all_controllers = Controller.objects.all()
+ for controller in all_controllers:
+ if controller not in existing_controllers:
+ ctrl_slice_priv = ControllerSlicePrivilege(controller=controller, slice_privilege=slice_privilege)
+ ctrl_slice_priv.save()
+
from .sync_controller_sites import SyncControllerSites
from .sync_controller_slices import SyncControllerSlices
from .sync_controller_users import SyncControllerUsers
+from .sync_controller_site_privileges import SyncControllerSitePrivileges
+from .sync_controller_slice_privileges import SyncControllerSlicePrivileges
--- /dev/null
+import os
+import base64
+from collections import defaultdict
+from django.db.models import F, Q
+from planetstack.config import Config
+from observer.openstacksyncstep import OpenStackSyncStep
+from core.models.site import Controller, SitePrivilege
+from core.models.user import User
+from core.models.controlleruser import ControllerUser, ControllerSitePrivilege
+from util.logger import Logger, logging
+
+from observer.ansible import *
+
+logger = Logger(level=logging.INFO)
+
+class SyncControllerSitePrivileges(OpenStackSyncStep):
+ provides=[ControllerSitePrivilege]
+ requested_interval=0
+
+ def fetch_pending(self, deleted):
+
+ if (deleted):
+ return ControllerSitePrivilege.deleted_objects.all()
+ else:
+ return ControllerSitePrivilege.objects.filter(Q(enacted__lt=F('updated')) | Q(enacted=None))
+
+ def sync_record(self, controller_site_privilege):
+ logger.info("sync'ing controler_site_privilege %s at controller %s" % (controller_site_privilege, controller_site_privilege.controller))
+
+ if not controller_site_privilege.controller.admin_user:
+ logger.info("controller %r has no admin_user, skipping" % controller_site_privilege.controller)
+ return
+
+ template = os_template_env.get_template('sync_controller_users.yaml')
+ roles = [controller_site_privilege.site_privilege.role.role]
+ # setup user home site roles at controller
+ if not controller_site_privilege.site_privilege.user.site:
+ raise Exception('Siteless user %s'%controller_site_privilege.site_privilege.user.email)
+ else:
+ # look up tenant id for the user's site at the controller
+ #ctrl_site_deployments = SiteDeployment.objects.filter(
+ # site_deployment__site=controller_site_privilege.user.site,
+ # controller=controller_site_privilege.controller)
+
+ #if ctrl_site_deployments:
+ # # need the correct tenant id for site at the controller
+ # tenant_id = ctrl_site_deployments[0].tenant_id
+ # tenant_name = ctrl_site_deployments[0].site_deployment.site.login_base
+ user_fields = {
+ 'endpoint':controller_site_privilege.controller.auth_url,
+ 'name': controller_site_privilege.site_privilege.user.email,
+ 'email': controller_site_privilege.site_privilege.user.email,
+ 'password': controller_site_privilege.site_privilege.user.remote_password,
+ 'admin_user': controller_site_privilege.controller.admin_user,
+ 'admin_password': controller_site_privilege.controller.admin_password,
+ 'ansible_tag':'%s@%s'%(controller_site_privilege.site_privilege.user.email.replace('@','-at-'),controller_site_privilege.controller.name),
+ 'admin_tenant': controller_site_privilege.controller.admin_tenant,
+ 'roles':roles,
+ 'tenant':controller_site_privilege.site_privilege.site.login_base}
+
+ rendered = template.render(user_fields)
+ res = run_template('sync_controller_users.yaml', user_fields,path='controller_site_privileges')
+
+ # results is an array in which each element corresponds to an
+ # "ok" string received per operation. If we get as many oks as
+ # the number of operations we issued, that means a grand success.
+ # Otherwise, the number of oks tell us which operation failed.
+ expected_length = len(roles) + 1
+ if (len(res)==expected_length):
+ controller_site_privilege.role_id = res[0]['id']
+ controller_site_privilege.save()
+ elif (len(res)):
+ raise Exception('Could not assign roles for user %s'%user_fields['name'])
+ else:
+ raise Exception('Could not create or update user %s'%user_fields['name'])
+
+ def delete_record(self, controller_site_privilege):
+ if controller_site_privilege.role_id:
+ driver = self.driver.admin_driver(controller=controller_site_privilege.controller)
+ user = ControllerUser.objects.get(
+ controller=controller_site_privilege.controller,
+ user=controller_site_privilege.site_privilege.user
+ )
+ site = ControllerSite.objects.get(
+ controller=controller_site_privilege.controller,
+ user=controller_site_privilege.site_privilege.user
+ )
+ driver.delete_user_role(
+ user.kuser_id,
+ site.tenant_id,
+ controller_site_privilege.site_prvilege.role.role
+ )
--- /dev/null
+import os
+import base64
+from collections import defaultdict
+from django.db.models import F, Q
+from planetstack.config import Config
+from observer.openstacksyncstep import OpenStackSyncStep
+from core.models.slice import Controller, SlicePrivilege
+from core.models.user import User
+from core.models.controlleruser import ControllerUser, ControllerSlicePrivilege
+from util.logger import Logger, logging
+
+from observer.ansible import *
+
+logger = Logger(level=logging.INFO)
+
+class SyncControllerSlicePrivileges(OpenStackSyncStep):
+ provides=[ControllerSlicePrivilege]
+ requested_interval=0
+
+ def fetch_pending(self, deleted):
+
+ if (deleted):
+ return ControllerSlicePrivilege.deleted_objects.all()
+ else:
+ return ControllerSlicePrivilege.objects.filter(Q(enacted__lt=F('updated')) | Q(enacted=None))
+
+ def sync_record(self, controller_slice_privilege):
+ logger.info("sync'ing controler_slice_privilege %s at controller %s" % (controller_slice_privilege, controller_slice_privilege.controller))
+
+ if not controller_slice_privilege.controller.admin_user:
+ logger.info("controller %r has no admin_user, skipping" % controller_slice_privilege.controller)
+ return
+
+ template = os_template_env.get_template('sync_controller_users.yaml')
+ roles = [controller_slice_privilege.slice_privilege.role.role]
+ # setup user home slice roles at controller
+ if not controller_slice_privilege.slice_privilege.user.site:
+ raise Exception('Sliceless user %s'%controller_slice_privilege.slice_privilege.user.email)
+ else:
+ # look up tenant id for the user's slice at the controller
+ #ctrl_slice_deployments = SliceDeployment.objects.filter(
+ # slice_deployment__slice=controller_slice_privilege.user.slice,
+ # controller=controller_slice_privilege.controller)
+
+ #if ctrl_slice_deployments:
+ # # need the correct tenant id for slice at the controller
+ # tenant_id = ctrl_slice_deployments[0].tenant_id
+ # tenant_name = ctrl_slice_deployments[0].slice_deployment.slice.login_base
+ user_fields = {
+ 'endpoint':controller_slice_privilege.controller.auth_url,
+ 'name': controller_slice_privilege.slice_privilege.user.email,
+ 'email': controller_slice_privilege.slice_privilege.user.email,
+ 'password': controller_slice_privilege.slice_privilege.user.remote_password,
+ 'admin_user': controller_slice_privilege.controller.admin_user,
+ 'admin_password': controller_slice_privilege.controller.admin_password,
+ 'ansible_tag':'%s@%s'%(controller_slice_privilege.slice_privilege.user.email.replace('@','-at-'),controller_slice_privilege.controller.name),
+ 'admin_tenant': controller_slice_privilege.controller.admin_tenant,
+ 'roles':roles,
+ 'tenant':controller_slice_privilege.slice_privilege.slice.name}
+
+ rendered = template.render(user_fields)
+ res = run_template('sync_controller_users.yaml', user_fields,path='controller_slice_privileges')
+
+ # results is an array in which each element corresponds to an
+ # "ok" string received per operation. If we get as many oks as
+ # the number of operations we issued, that means a grand success.
+ # Otherwise, the number of oks tell us which operation failed.
+ expected_length = len(roles) + 1
+ if (len(res)==expected_length):
+ controller_slice_privilege.role_id = res[0]['id']
+ controller_slice_privilege.save()
+ elif (len(res)):
+ raise Exception('Could not assign roles for user %s'%user_fields['name'])
+ else:
+ raise Exception('Could not create or update user %s'%user_fields['name'])
+
+ def delete_record(self, controller_slice_privilege):
+ if controller_slice_privilege.role_id:
+ driver = self.driver.admin_driver(controller=controller_slice_privilege.controller)
+ user = ControllerUser.objects.get(
+ controller=controller_slice_privilege.controller,
+ user=controller_slice_privilege.slice_privilege.user
+ )
+ slice = ControllerSlice.objects.get(
+ controller=controller_slice_privilege.controller,
+ user=controller_slice_privilege.slice_privilege.user
+ )
+ driver.delete_user_role(
+ user.kuser_id,
+ slice.tenant_id,
+ controller_slice_privilege.slice_prvilege.role.role
+ )
+++ /dev/null
-import os
-import base64
-from collections import defaultdict
-from django.db.models import F, Q
-from planetstack.config import Config
-from observer.openstacksyncstep import OpenStackSyncStep
-from core.models.site import Controller, SitePrivilege
-from core.models.user import User
-from core.models.controlleruser import ControllerUser
-from util.logger import Logger, logging
-
-from observer.ansible import *
-
-logger = Logger(level=logging.INFO)
-
-class SyncControllerUser(OpenStackSyncStep):
- provides=[SitePrivilege]
- requested_interval=0
-
- def fetch_pending(self, deleted):
-
- if (deleted):
- return SitePrivilege.deleted_objects.all()
- else:
- return ControllerUser.objects.filter(Q(enacted__lt=F('updated')) | Q(enacted=None))
-
- def sync_record(self, controller_user):
- logger.info("sync'ing user %s at controller %s" % (controller_user.user, controller_user.controller))
-
- if not controller_user.controller.admin_user:
- logger.info("controller %r has no admin_user, skipping" % controller_user.controller)
- return
-
- template = os_template_env.get_template('sync_controller_users.yaml')
-
- # All users will have at least the 'user' role at their home site/tenant.
- # We must also check if the user should have the admin role
- roles = ['user']
- if controller_user.user.is_admin:
- roles.append('admin')
-
- # setup user home site roles at controller
- if not controller_user.user.site:
- raise Exception('Siteless user %s'%controller_user.user.email)
- else:
- # look up tenant id for the user's site at the controller
- #ctrl_site_deployments = SiteDeployment.objects.filter(
- # site_deployment__site=controller_user.user.site,
- # controller=controller_user.controller)
-
- #if ctrl_site_deployments:
- # # need the correct tenant id for site at the controller
- # tenant_id = ctrl_site_deployments[0].tenant_id
- # tenant_name = ctrl_site_deployments[0].site_deployment.site.login_base
- user_fields = {
- 'endpoint':controller_user.controller.auth_url,
- 'name': controller_user.user.email,
- 'email': controller_user.user.email,
- 'password': controller_user.user.remote_password,
- 'admin_user': controller_user.controller.admin_user,
- 'admin_password': controller_user.controller.admin_password,
- 'ansible_tag':'%s@%s'%(controller_user.user.email.replace('@','-at-'),controller_user.controller.name),
- 'admin_tenant': controller_user.controller.admin_tenant,
- 'roles':roles,
- 'tenant':controller_user.user.site.login_base}
-
- rendered = template.render(user_fields)
- res = run_template('sync_controller_users.yaml', user_fields,path='controller_users')
-
- # results is an array in which each element corresponds to an
- # "ok" string received per operation. If we get as many oks as
- # the number of operations we issued, that means a grand success.
- # Otherwise, the number of oks tell us which operation failed.
- expected_length = len(roles) + 1
- if (len(res)==expected_length):
- controller_user.kuser_id = res[0]['id']
- controller_user.save()
- elif (len(res)):
- raise Exception('Could not assign roles for user %s'%user_fields['name'])
- else:
- raise Exception('Could not create or update user %s'%user_fields['name'])
-
- def delete_record(self, controller_user):
- if controller_user.kuser_id:
- driver = self.driver.admin_driver(controller=controller_user.controller)
- driver.delete_user(controller_user.kuser_id)
+++ /dev/null
-import os
-import base64
-from collections import defaultdict
-from django.db.models import F, Q
-from planetstack.config import Config
-from observer.openstacksyncstep import OpenStackSyncStep
-from core.models.site import Controller, SiteDeployment
-from core.models.user import User
-from core.models.controllerusers import ControllerUser
-from util.logger import Logger, logging
-
-from observer.ansible import *
-
-logger = Logger(level=logging.INFO)
-
-class SyncControllerUser(OpenStackSyncStep):
- provides=[ControllerUser, User]
- requested_interval=0
-
- def fetch_pending(self, deleted):
-
- if (deleted):
- return ControllerUser.deleted_objects.all()
- else:
- return ControllerUser.objects.filter(Q(enacted__lt=F('updated')) | Q(enacted=None))
-
- def sync_record(self, controller_user):
- logger.info("sync'ing user %s at controller %s" % (controller_user.user, controller_user.controller))
-
- if not controller_user.controller.admin_user:
- logger.info("controller %r has no admin_user, skipping" % controller_user.controller)
- return
-
- template = os_template_env.get_template('sync_controller_users.yaml')
-
- # All users will have at least the 'user' role at their home site/tenant.
- # We must also check if the user should have the admin role
- roles = ['user']
- if controller_user.user.is_admin:
- roles.append('admin')
-
- # setup user home site roles at controller
- if not controller_user.user.site:
- raise Exception('Siteless user %s'%controller_user.user.email)
- else:
- # look up tenant id for the user's site at the controller
- #ctrl_site_deployments = SiteDeployment.objects.filter(
- # site_deployment__site=controller_user.user.site,
- # controller=controller_user.controller)
-
- #if ctrl_site_deployments:
- # # need the correct tenant id for site at the controller
- # tenant_id = ctrl_site_deployments[0].tenant_id
- # tenant_name = ctrl_site_deployments[0].site_deployment.site.login_base
- user_fields = {
- 'endpoint':controller_user.controller.auth_url,
- 'name': controller_user.user.email,
- 'email': controller_user.user.email,
- 'password': controller_user.user.remote_password,
- 'admin_user': controller_user.controller.admin_user,
- 'admin_password': controller_user.controller.admin_password,
- 'ansible_tag':'%s@%s'%(controller_user.user.email.replace('@','-at-'),controller_user.controller.name),
- 'admin_tenant': controller_user.controller.admin_tenant,
- 'roles':roles,
- 'tenant':controller_user.user.site.login_base}
-
- rendered = template.render(user_fields)
- res = run_template('sync_controller_users.yaml', user_fields,path='controller_users')
-
- # results is an array in which each element corresponds to an
- # "ok" string received per operation. If we get as many oks as
- # the number of operations we issued, that means a grand success.
- # Otherwise, the number of oks tell us which operation failed.
- expected_length = len(roles) + 1
- if (len(res)==expected_length):
- controller_user.kuser_id = res[0]['id']
- controller_user.save()
- elif (len(res)):
- raise Exception('Could not assign roles for user %s'%user_fields['name'])
- else:
- raise Exception('Could not create or update user %s'%user_fields['name'])
-
- def delete_record(self, controller_user):
- if controller_user.kuser_id:
- driver = self.driver.admin_driver(controller=controller_user.controller)
- driver.delete_user(controller_user.kuser_id)